hacking web sites cross site scripting
play

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term - PowerPoint PPT Presentation

Dec 11, 2023 •287 likes •792 views

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Stored XSS Reflected

  1. Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 1

  2. Table of Contents Presentation � Stored XSS Reflected XSS DOM based XSS What can be achieved? � Testing strategies � Countermeasures � Anti XSS HTTP-Headers Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 2

  3. Presentation Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 3

  4. Cross Site Scripting - XSS If the web site allows uncontrolled content to be supplied by users User can write content in a Guest-book or Forum User can introduce malicious code in the content Example of malicious code Modification of the Document Object Model - DOM (change some links, add some buttons) Send personal information to thirds (javascript can send cookies to other sites) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 4

  5. modus Operandi Attacker Executes Script on the Victim’s machine Is usually Javascript Can be any script language supported by the victim’s browser Three types of Cross Site Scripting Reflected Stored DOM injection Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 5

  6. Stored XSS Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 6

  7. Stored XSS Hostile Data is taken and stored In a file In a Database or in any other backend system Then Data is sent back to any visitor of the web site Risk when large number of users can see unfiltered content Very dangerous for Content Management Systems (CMS) Blogs forums Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 7

  8. Example of Stored XSS A user has access to a CMS (Content Management System) The user can write some content (home page, news, blogs, ...) The user can modify the layout and edit content Hello world <b>Everybody</b><br> I want to say something! This content will be saved in a database The content will be shown to all (or some) visitors of the site The user can write: Hello <b> World</b><script>alert("Hello");</ ց → script> Any visitor reading the page will execute the script Page shows an alert message But can be much more dangerous Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 8

  9. Other stored XSS One can manipulate the DOM in JavaScript Access a DOM node, change its content document.getElementById() and change innerHTML Suppose the page contains this HTML <h1 id="title">This is the title</h1> The following can be injected Hello <b>World</b> <script>document.getElementById(title).innerHTML ց → ="This �������site�was�hacked’’;</script> ���� Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 9

  10. Reflected XSS Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 10

  11. Reflected XSS The easiest exploit A page will reflect user supplied data directly back to the user It contains something like: echo $_REQUEST[’userinput’]; So when the user types: <script> alert("Hello�World"); </script> He receives an alert in his browser Danger If the URL (containing GET parameters) is delivered by a third to the victim The Victim will access a modified page SSL certificate and security warning are OK!!! Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 11

  12. Where is reflected XSS? I In any form where input is displayed Search form <form method="GET"> <input type="text" name="val"> <input type="submit" value="Send"> </form> <?php echo "The�search�you�did�is:".$_GET[’val’ ց → ]; print_results($_GET[’val’]); ?> Error message $x = $_GET[’val’]; if(!validation_is_OK($x)){ echo "Value�is�not�correct:".$x; } Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 12

  13. Where is reflected XSS? II XSS often in pages not intended for web browsers AJAX URL’s (normally for transferring data) JSON addresses (for data also) If they are loaded inside a browser, can they be misused. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 13

  14. Exploit Reflected XSS Not easy: The message is normally only returned to the same person The reflecting XSS is difficult to exploit Idea: transfer an URL to the browser containing the parameters Parameters can be included inside the URL (GET requests and URL encoded parameters) https://www.mysite.com/?param=value URL is included inside a mail Can be a spam (for phishing) Or a targeted email (for spare phishing) The victim will click on the link The link looks very legitimate (right site, https, ...) : impossible to see it is not valide Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 14

  15. Example: Change an error message into a login page I Suppose we have this code: <?php $x = $_GET[’val’]; if(!validation_is_OK($x)){ echo "Value�is�not�correct:".$x; } ... ?> One will write the following link https://www.mysite.com/?val=%3Cscript+src%3D% 22evilProgram.js%22%3E%3C%2Fscript%3E Val is URL encoded: <script src="evilProgram.js"></script> Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 15

  16. Example Change an error message into a login page II Program does: Errase the content of the page Create new nodes Build a totally new Document Object Model (see later how to manipulate the DOM) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 16

  17. DOM based XSS Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 17

  18. DOM Based XSS Document Object Model The document is represented using a tree The tree is rooted with the document node Each tag and text is part of the tree JavaScript is manipulated directly inside the client Does not need to be reflected by the server. Using misconfiguration of client side code Using flows in frameworks (AngularJS, JQuery, . . . ) XSS is directly injected inside the DOM Using JavaScript misprogramming Using a flow in a framework Using evaluation of rogue data XSS Modifies the Document Object Model (DOM) Javascript can manipulate all the document It can create new nodes, Remove existing nodes Change the content of some nodes Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 18

  19. Example of DOM based XSS Suppose we have the following JS-code <script> document.write("<b>Current�URL</b>�:�" + ց → document.baseURI); </script> If you send the following link to the browser (just URL encoded) http: //www.example.com/test.html#<script>alert ց → (1)</script> When the script is interpreted The document.wirte() function adds the content to the page: <script>alert(1)</script> It is executed! Nothing was ever sent to the server! Anchor (i.e. after the #) is used for navigation only Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 19

  20. Principles Input (source) is transfered to an output (sink) Input provided by the user If the output is written without being encoded : can be exploited Popular sources document.URL , document.documentURI , location.href , location.search , location.* , window.name , document.referrer Popular sinks document.write() , anything.innerHTML= someelements.src (for specific elements) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 20

  21. What can be achieved? Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 21

  22. Document Object Model HTML is converted into a tree <html> <body> <div id="header"> <h1>Title of the page</h1> </div> <div id="menu"> <ul id="menu-list"> <li class="menuitem"> <a href="index.php?id=1">One</a> </li> <li class="menuitem"><a href="index.php?id=2">Two</a></ ց → li> <li class="menuitem"><a href="index.php?id=3">Three</a ց → ></li> </ul> </div> <div id="content"> <p> Hello World </p> </div> </div> Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 22

  23. Document Object Model (Cont.) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

512 views • 15 slides
Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

428 views • 14 slides
Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site

LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site

LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site Request Forgery Cross-Site Requests Same-site request if local page makes HTTP request Request sent to other site called cross-site request

750 views • 62 slides
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks Introduction to Computer Security Confidentiality and privacy Day 19: Web security, part 2 Stephen McCamant Even more web risks University of

386 views • 11 slides
Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Even more web risks Stephen

435 views • 10 slides
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, &lt;img src=&gt;

569 views • 42 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New! Join our Slack ucyber.slack.com SIGN IN! Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach,

560 views • 26 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application Security course (Elective in Computer Networks) prof. Fabrizio d'Amore Dept. of Computer, Control, and Management Engineering Antonio Ruberti

729 views • 28 slides
Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT Who thinks

Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT Who thinks

Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT Who thinks about architecture while coding? architecture before coding? Who thinks about security while coding? security before

738 views • 70 slides
COSC 4P14 What else could we discuss? Brock University Brock University What else could we

COSC 4P14 What else could we discuss? Brock University Brock University What else could we

COSC 4P14 What else could we discuss? Brock University Brock University What else could we discuss? 1 / 28 Theres so much more out there! No matter how much time we spent here, we could never hope to cover every notable networked

673 views • 28 slides
7/11/2019 Quality Improvement in Primary Healthcare Melissa Williams Go to training Open and

7/11/2019 Quality Improvement in Primary Healthcare Melissa Williams Go to training Open and

7/11/2019 Quality Improvement in Primary Healthcare Melissa Williams Go to training Open and hide your control panel Join audio: Choose Mic &amp; Speakers to use VoIP or you can Choose Telephone and dial using the

318 views • 13 slides
Integrating Financial Capability Services Kori Hattemer HPOG Annual Meeting February 18, 2016

Integrating Financial Capability Services Kori Hattemer HPOG Annual Meeting February 18, 2016

Integrating Financial Capability Services Kori Hattemer HPOG Annual Meeting February 18, 2016 www.cfed.org @CFED /CFEDNews cfed.org/blog/inclusiveeconomy Who We Are Our mission at CFED is to make it possible for millions of people to

615 views • 35 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTML + HTTP CSS data request web server backend systems Chapter 18: 3 Web 1.0 Shorthand

1.09k views • 91 slides
Building a Scalable Recommender System with Apache Spark, Apache Kafka and Elasticsearch About

Building a Scalable Recommender System with Apache Spark, Apache Kafka and Elasticsearch About

Nov / 14 / 16 Nick Pentreath Building a Scalable Recommender System with Apache Spark, Apache Kafka and Elasticsearch About @MLnick Principal Engineer, IBM Apache Spark PMC Focused on machine learning Author of Machine Learning

666 views • 53 slides
Modeling Social Networking Privacy Carolina Dania IMDEA Software Institute - Spain Universidad

Modeling Social Networking Privacy Carolina Dania IMDEA Software Institute - Spain Universidad

Modeling Social Networking Privacy Carolina Dania IMDEA Software Institute - Spain Universidad Complutense de Madrid (Partially funded by NeSSOS) Supervisors Manuel Clavel Marina Egea IMDEA Software Institute Atos Research &amp; Innovation

1.31k views • 109 slides
Natural experiments in online social network assembly Abigail Jacobs | University of Colorado

Natural experiments in online social network assembly Abigail Jacobs | University of Colorado

Natural experiments in online social network assembly Abigail Jacobs | University of Colorado Boulder IC2S2 | June 25, 2016 + Sam Way (Colorado), Johan Ugander (Stanford), Aaron Clauset (Colorado) Assembling thefacebook: using heterogeneity to

661 views • 37 slides

More recommend